The OCR announced a settlement of $218,400 along with adoption of a robust plan of correction with St. Elizabeth’s Medical Center (SEMC) of Brighton, MA for alleged HIPAA violations. Before the settlement, SEMC had two different events leading up to it entering the resolution agreement with HHS.
The first allegation involved a complaint to the OCR that employees were using an internet-based document sharing application to store ePHI without analyzing the associated security risks, exposing at least 498 individuals’ ePHI. As a result, the OCR conducted an investigation and alleged SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome. After the first complaint and OCR investigation, SEMC had another event resulting in it notifying the OCR of a breach of unsecured ePHI on a former employee’s laptop and USB flash drive affecting 595 individuals.
These combined events resulting in significant fines and oversight by the OCR demonstrate the need for covered entities and their business associates to pay close attention to HIPAA compliance. In the OCR Bulletin, Jocelyn Samuels, the OCR Director, is quoted as saying: “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications.”
Once again, the OCR demonstrated that it takes HIPAA seriously. All covered entities and business associates should pay close attention and follow the OCR’S recommendation when using internet-based document sharing applications. Clink on link to read the bulletin.